Improvements Are Needed to the Information Security Program Governance Process

Issued on March 11, 2008


Highlights of Report Number: 2008-20-076 to the Internal Revenue Service Chief Information Officer.


The Internal Revenue Service (IRS) is responsible for developing an effective information security governance process that complies with Federal Government standards.The IRS could make improvements in monitoring compliance with security policies and procedures and issuing security guidance for all employees to follow.Until improvements are made, security weaknesses are more likely to occur, and the IRS cannot provide assurance that systems containing sensitive taxpayer data are adequately protected from security breaches.


This audit was initiated to determine whether the IRS monitored compliance with security policies and procedures and developed sufficient information security guidance.This review was included in the TIGTA Fiscal Year 2008 Annual Audit Plan and was part of the Information Systems Programs unitís statutory requirements to annually review the adequacy and security of IRS technology.


The IRS has taken insufficient actions to monitor and enforce compliance with security policies and procedures, resulting in weaknesses that put the security and privacy of tax information at risk.Actions taken to correct security weaknesses were not validated, testing to verify compliance with security configurations was not adequate, security incidents were not adequately analyzed for underlying causes, compliance with continuous monitoring requirements was not enforced, and metrics to measure the effectiveness of security measures were not developed.

While the Cybersecurity organization is primarily responsible for monitoring compliance with security guidance, the Modernization and Information Technology Services organization and each of the business functions are responsible for implementing the guidance.In a bureau as large and diverse as the IRS, it is difficult for one office to enforce implementation across organizational lines.

The Cybersecurity organization has developed security guidance that meets standards for 9 of 12 security areas.Guidance for system development life cycle, capital planning, and security services and products acquisition did not include all necessary considerations to meet requirements and made references to obsolete standards and controls.


The Chief Information Officer, through the Security Services and Privacy Executive Steering Committee, should require system owners to report on progress in addressing actions to correct security weaknesses. The Cybersecurity organization should improve the verification of compliance with standard configurations; analyze security incidents to identify common or systemic underlying weaknesses; ensure system owners prepare continuous monitoring plans; develop quantifiable security metrics based on IRS information security goals and objectives; coordinate with IRS executives to complete security guidance regarding system development life cycle, capital planning, and acquisition of services; improve the Cybersecurity organization Intranet web site to facilitate easy access to security guidance; and develop a system to notify employees and contractors of changes in security guidance.

In their response to the report, IRS officials agreed with all of the recommendations.The Cybersecurity organization plans to address the issues noted in the report and implement all recommendations as stated.The Security Services and Privacy Executive Steering Committee plans to take an active role in overseeing these actions and use the results to improve security in the IRS.


To view the report, including the scope, methodology, and full IRS response, go to:

Email Address: ††

Phone Number:†† 202-622-6500

Web Site:††